Article: Data security is integral to human capital strategy: Kristin Leary

Strategic HR

Data security is integral to human capital strategy: Kristin Leary

Kristin Machacek Leary, Chief Human Resources Officer at Forcepoint talks about the fundamentals of preventing insider threat and HRs role in it
Data security is integral to human capital strategy: Kristin Leary

In the age of digital disruption, businesses are at risk of insider threat, and this has affected not just organizations but also nations at large. This makes protecting the employees and organizations from the risks of insider threat essential. Although, in most organizations, this is considered as the responsibility of IT department, however, HR also has a major role in safeguarding company’s assets. In an interview with People Matters, Kristin Machacek Leary, Chief Human Resources Officer at Forcepoint shared the fundamentals of preventing insider threat and HR’s role in it. 

Here is an excerpt from the interview:

Q. How do you look at insider threat? 

Insider Threat can be looked at in a few different ways. Insider threat can be everything from a malicious person who is trying to harm a company or a country to somebody who is innocent, for instance, an employee accidentally clicking a wrong button and getting a virus into their system. So, sometimes it’s malicious, often times it is not, it’s accidental. But regardless, it's an imposed risk to the system and threat to the organization. 

Q. Insider threat is a global issue and it is being said that the risks of it can't be mitigated only through IT security measures. What do you think is lacking?

I think what’s lacking is the partnership between the HR and the Chief Information Security Officer (CISO) or the IT department.  In many organizations, they run very traditional offices, and they are set up in silos, where HR does not talk to the Chief Information Security Officer, and he further doesn’t communicate with the legal team. And within these three groups, we have the greatest amount of information about employees.  Talking about Forcepoint, we have an expression at that I am very passionate about, and I wish that more organizations would adopt. We believe in ‘how do we stop the bad, and free the good’. ‘Bad’ refers to the malicious intruder, with intent to harm and the ‘good’ refers to the accidental threat. It’s not only about addressing an employee but about taking care of the entire employee base. We establish trust with the employees to make them aware of the tools and solutions we are utilizing in cybersecurity space. We use Forcepoint’s own solution at Forcepoint and that really helps but it’s come from building a trust relationship with our employees.

Q. What role can the HR play in preventing the organization from the risks of insider threat?

Data security is integral to human capital strategy. Generally, people believe that this is the role of IT and role of CISO, not theirs. I challenge them to think differently because we are at the cutting edge when we think about HR from a cybersecurity lens. 

Q. How can a strong company culture be created and maintained to prevent insider threat? 

The best way to start is by being transparent. We spend time with our employees, globally, to talk about the importance of culture. We have ongoing open dialogues with our employees about various topics. Of course, there are topics because of sensitivity that we are unable to discuss, but that's a small percentage. We have been able to create this transparent culture at Forcepoint all over the world from India to Argentina to the US to countries in Europe because this transparency starts with the CEO, then further moves on to the management team and finally to every single employee regardless of levels. We are transparent and have open dialogues with our employees. We don’t have hidden agendas and that’s allowed us to implement amazing solutions that are in the cybersecurity space. 

Q. How did you design and implement processes and procedures to build this culture in your company? 

Before you complex thing with processes, it's important to have a real human dialogue because at the end we are dealing with humans and humans as you know our complex beings. So we don't believe in over-engineering things. But of course, we have processes and policies that are put in place after identifying the core areas. For instance, policies related to website accesses. People use their own devices, and if they want to go on their Facebook page, Instagram or LinkedIn, we don’t monitor or limit that. We make policies but they are not bureaucratic. We want our employees to be motivated. We are not spying on people, but we are educating them. So one of the key steps in our process is to truly educate our employees on what we do and how we do it, in context of cybersecurity. We do look at this concern from the lens of protecting the company’s assets but our priority is protecting our employees. At Forcepoint, yes we safeguard our corporate assets but we also want to protect our employees. 

Q. How do you handle unwitting insiders (who had no intent to harm)? What is the strategy for reducing such cases and what is the protocol when such cases arise? 

We go through the protocol with our Chief Security Officer and their deputies who work on this. HR is immediately notified that there has been a breach. The person in HR who is notified, is the HR business partner for the specific business, group or function. We keep this at the lowest level possible. I should not be made aware of every single item. It could be but I don’t need to be, to be out of respect to the employees. But immediately as breach occurs, the process is that the officer notifies HR about the person that has been compromised and the system has been compromised and so on. HR and IT then together investigate the case. And when it’s an instance where it's an innocent action, we have coachable conversations with our employees. We let them know about the implications of their actions and ways to prevent them from happening. For instance, when they walk away from their computer and leave it unlocked or when they lose their computer. Instead of penalizing them, we use this as an opportunity to educate them to help them understand the impact of their actions.

Q. Where and how does HR fit in the entire lifecycle of threat reduction? 

HR at Forcepoint plays a significant role because we approach cybersecurity from a human-centric approach. Every time we talk about a human-centric approach we are dealing with people and their complexities. So I am involved in every decision related to how do we safeguard our assets.  Our team is fortunate because we are authentically at the table, with the CEO and the peer group, engineers and the CISO office. We are there as an integral partner to help shape the policies as against just maintaining it. We are truly the business partner from the cybersecurity perspective.  

Q. How can HR ensure that they have a voice at the table?

First and foremost speak the language of business, second know your functional craft exceptionally well, and third be a global citizen and have a global perspective. If you are an HR business partner, in India, you should think broader than just India, think about the Asia Pacific, and think about the global workforce, because that impacts people locally as well.  

That’s when you have an authentic seat at the table, your opinion is valued, and you also insert yourself into the discussion. 

Read full story

Topics: Strategic HR, C-Suite, Culture, Technology

Did you find this story helpful?

Author

QUICK POLL

How do you envision AI transforming your work?